Name

Description

Default

chown

If a process has this capability set on, it can change ownership on the files not belonging to it or belonging to another user. You have to set this capability on to allow the Container root user to change ownership on files and directories inside the Container.

on

dac_override

This capability allows to access files even if the permission is set to disable access. Normally leave this on to let the Container root access files even if the permission does not allow it.

on

dac_read_search

Overrides restrictions on reading and searching for files and directories. The explanation is almost the same as above with the sole exclusion that this capability does not override executable restrictions.

on

fowner

Overrides restrictions on setting the S_ISUID and S_ISGID bits on a file requiring that the effective user ID and effective group ID of the process shall match the file owner ID.

on

fsetid

Used to decide between falling back on the old suser() or fsuser().

on

kill

Allows sending signals to processes owned by other users.

on

setgid

Allows group ID manipulation and forged group IDs on socket credentials passing.

on

setuid

Allows user ID manipulation and forged user IDs on socket credentials passing.

on